[nsd-users] Set NSD to ignore, instead of refusing, external recursive queries?

Mon Jun 19 12:30:07 UTC 2017

On Monday, 19 June 2017 12:38:11 PM AEST Sebastian Nielsen wrote:
> What do you mean? What is "off-path spoofing attacks" and how would ignoring
> a query instead of replying to it, make you more vulnerable?

When a query is made from a caching resolver there is a race between the 
legitimate answer and one that presents the same source ip, destination port 
and dns query id that the caching resolver is expecting. This latter response 
is an "off-path spoofing attack". For an attacker to be able to win the race 
they have to guess the source port the cache used (which becomes the 
destination port that the authoritative server responds on) and the 16 bit 
query id before the legitimate server has a chance to respond. If the 
legitimate server never responds because it's configured to blackhole queries 
for the domain (even if the cache and/or authoritative server is misconfigured/
unwisely configure as in the original question as caching resolvers should not 
be sending queries with recursion desired to authoritative servers in normal 
circumstances) then the attacker gets more time (presumably up to sime timeout 
hardcoded into the cache) to continue guessing the correct source port/query 
id combination. In the case that the authoritative server is configured to send 
a REFUSED response then the attacker has 1 round trip from the cache to the 
authoritative server in which to guess this combination. I also suspect that 
many caches will track the refused response from the authoritative server as a 
lame delegation and avoid it, so that the attacker can't continue querying the 
cache and attempting to poison the cache. They only need to win the race once 
in order to override the legitimate answer, so when the server which is 
supposed to be responsible for the domain doesn't respond they can keep 
retrying for much longer.

> 
> Why does Steve Gibson ( http://www.grc.com ) say its more spoofing-resistant
> to ignore external queries instead of refusing?

Because he's a snake-oil salesman who doesn't really know what he's talking 
about. His advice might be useful in the case of a client system. Someone 
scanning for potentially exploitable computers might choose to do a icmp-
request or probe a particular service with known vulnerabilities. Not replying 
to them means that they will be unsure as to whether there is a computer 
connected at that ip address at all. In the case of a server, you're providing 
a publicly available service. You presumably want random people on the 
internet to be able to make use of the service, so sending a response is 
desirable. 

> 
> -----Ursprungligt meddelande-----
> Från: Ondřej Surý [mailto:ondrej at sury.org]
> Skickat: den 19 juni 2017 09:08
> Till: Sebastian Nielsen <sebastian at sebbe.eu>; nsd-users at NLnetLabs.nl
> Ämne: Re: [nsd-users] Set NSD to ignore, instead of refusing, external
> recursive queries?
> 
> And make yourself more vulnerable to off-path spoofing attackers? That's a
> really bad idea.
> 
> O.
> --
> Ondřej Surý <ondrej at sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server Knot
> Resolver (https://www.knot-resolver.cz/) – secure, privacy-aware, fast
> DNS(SEC) resolver Vše pro chleba (https://vseprochleba.cz) – Mouky ze mlýna
> a potřeby pro pečení chleba všeho druhu
> On Mon, Jun 5, 2017, at 23:24, Sebastian Nielsen wrote:
> > Is it possible to tell NSD to just drop recursive queries, instead of
> > replying with a "REFUSED" message?
> > 
> > _______________________________________________
> > nsd-users mailing list
> > nsd-users at NLnetLabs.nl
> > https://open.nlnetlabs.nl/mailman/listinfo/nsd-users
> > Email had 1 attachment:
> > + smime.p7s
> > 
> >   9k (application/pkcs7-signature)